svn commit: lorikeet r312 - in trunk/heimdal: kdc lib/hdb

Sat May 21 00:28:46 GMT 2005

Author: abartlet
Date: 2005-05-21 00:28:46 +0000 (Sat, 21 May 2005)
New Revision: 312

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=312

Log:
These subtle changes (which I am far from sure of the kerberos
correctness of), allow the KDC to operate with it's dual personality
of long and short names, and to have an implicit inter-realm trust
between them.

(This allows the krbtgt principal to be treated differently in both
AS_REQ and TGS_REQ packets).

We are now at the stage where we need the PAC.

Andrew Bartlett

Modified:
   trunk/heimdal/kdc/kerberos5.c
   trunk/heimdal/lib/hdb/hdb-ldb.c


Changeset:
Modified: trunk/heimdal/kdc/kerberos5.c
===================================================================

--- trunk/heimdal/kdc/kerberos5.c	2005-05-20 13:25:50 UTC (rev 311)
+++ trunk/heimdal/kdc/kerberos5.c	2005-05-21 00:28:46 UTC (rev 312)
@@ -718,7 +718,7 @@
 	goto out;
     }
 
-    ret = db_fetch(server_princ, HDB_ENT_TYPE_KRBTGT, &server);
+    ret = db_fetch(server_princ, HDB_ENT_TYPE_SERVER, &server);
     if(ret){
 	kdc_log(0, "UNKNOWN -- %s: %s", server_name,
 		krb5_get_err_text(context, ret));
@@ -1788,7 +1788,7 @@
 				       ap_req.ticket.sname,
 				       ap_req.ticket.realm);
     
-    ret = db_fetch(princ, HDB_ENT_TYPE_KRBTGT, &krbtgt);
+    ret = db_fetch(princ, HDB_ENT_TYPE_SERVER, &krbtgt);
 
     if(ret) {
 	char *p;

Modified: trunk/heimdal/lib/hdb/hdb-ldb.c
===================================================================
--- trunk/heimdal/lib/hdb/hdb-ldb.c	2005-05-20 13:25:50 UTC (rev 311)
+++ trunk/heimdal/lib/hdb/hdb-ldb.c	2005-05-21 00:28:46 UTC (rev 312)
@@ -288,7 +288,6 @@
 	ent->flags = uf2HDBFlags(context, userAccountControl, ent_type);
 
 	if (ent_type == HDB_ENT_TYPE_KRBTGT) {
-		ent->flags.initial = 1;
 		ent->flags.invalid = 0;
 		ent->flags.server = 1;
 	}
@@ -492,6 +491,7 @@
 		p[0] = '\0';
 	}
 
+	
 	switch (ent_type) {
 	case HDB_ENT_TYPE_KRBTGT:
 		filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))", 
@@ -587,7 +587,11 @@
 
 	count = ldb_search(ldb_ctx, realm_dn, LDB_SCOPE_BASE, "(objectClass=domain)",
 			   realm_attrs, &msg);
-	*pmsg = talloc_steal(mem_ctx, msg);
+	if (pmsg) {
+		*pmsg = talloc_steal(mem_ctx, msg);
+	} else {
+		talloc_free(msg);
+	}
 
 	if (count < 1) {
 		krb5_warnx(context, "ldb_search: dn: %s not found: %d", realm_dn, count);
@@ -758,6 +762,16 @@
 
 	realm_dn = realm_msg[0]->dn;
 
+	/* Cludge, cludge cludge.  If the realm part of krbtgt/realm
+	 * is in our db, then direct the caller at our primary
+	 * krgtgt */
+	if(principal->name.name_string.len == 2
+	   && (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+		&& (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+				     mem_ctx, principal->name.name_string.val[1], NULL) == 0)) {
+		ent_type = HDB_ENT_TYPE_KRBTGT;
+	}
+
 	ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, 
 				   mem_ctx, 
 				   principal, ent_type, realm_dn, &msg);

